Engineering

Yelp's Bug-Bounty Map

Martin Georgiev, Software Engineer

Sep 6, 2016

For the past two years we’ve been running a private bug-bounty program. We
worked with academic researchers and bug hunters from all over the world and,
as a result, we have fixed over a hundred potential vulnerabilities, and have
paid bug bounties to dozens of security experts.

Today we’re launching our public
bug-bounty program as our next step towards
improving the security of Yelp’s systems and services. Our vulnerability reward
payouts will go up to $15,000 USD for the most impactful exploits.

Since getting familiar with our infrastructure may be a bit intimidating,
we’ve put together some information below to help you through the bootstrap
process.

Consumer Site

Purpose: With millions of people using Yelp every day both on their desktops
and mobile devices, our consumer site is one of our major assets. Users come to
our consumer site to search for and message local businesses, order food, review
local establishments, engage with other local users, etc.

Under the hood: Python, Java, C++.

What to look for: We are interested in any vulnerabilities that allow the
attacker to map user profiles to their respective email addresses. Other
critical vulnerabilities in our consumer site would involve the ability of a
malicious user to modify other users’ reviews, order food for free or gain
access to another user’s payment details: e.g., reveal PANs. Look also for web
vulnerabilities that result in sensitive data disclosure, data
injection/exfiltration, insecure session management, etc.

Business Owner’s Site

Purpose: Our biz site allows business owners to manage their Yelp
presence, track visitor engagement, respond to customer inquiries and messages,
reply to reviews with a private message or a public comment, subscribe to
advertising programs and track ad spending.

Under the hood: Python, Java, C++.

What to look for: Similar to the consumer site, look for any web
vulnerabilities that result in authentication or authorization bypass,
sensitive data exfiltration, data injection, or request forgery. We are
especially interested in vulnerabilities that allow an attacker to impersonate
a business owner, escalate account privileges within a business page
(e.g., upgrade an employee account to an admin account), modify ad spending,
obtain non-public or bulk data sets that ought to be restricted to the business
owners, or obtain non-public or bulk information about Yelp users’ interactions
with a particular business.

Mobile Apps

Purpose: Our consumer apps help users find great local businesses while
on the go. The biz apps offer a bundle of free tools that enable business
owners to advertise their businesses and connect with the Yelp community.

In the most recent quarter content (reviews and photos) on Yelp was predominantly
generated on our mobile apps; searches on Yelp, by and large, came from mobile
devices. Thus, we’re dedicated to ensuring the security of our iOS and Android
apps.

Under the hood: The backend API is written in Python. Our iOS apps are
written in Objective-C and Swift, and integrate a number of libraries via
CocoaPods. Our Android apps are written in Java and integrate libraries via
Maven, including Glide for image loading, Apache’s HTTP client for web requests,
and Android Priority Job Queue for high priority jobs. Several components of our
apps use WebViews. Always test against the latest mobile app that is currently
available on Google Play, for Android, or the App Store for iOS.

What to look for: In this category, we are most interested in
mobile-specific vulnerabilities. Look for insecure storage of data, insecure
WebView configs, insecure network connections, sensitive data disclosure via
logs/errors, privilege separation, etc. Vulnerabilities that allow tracking
large number of users in real time are also considered high-severity issues.

Engineering Blog, The Yelp Blog

Purpose: We use our engineering blog to notify the general public about
all the cool technology we are developing here at Yelp. The Yelp Blog is the
official voice of Yelp HQ. We use it to talk about news, product, community,
business, etc.

What to look for: Vulnerabilities that enable attackers to add, delete or
modify any of the content on the engineering blog. We are also interested in
disclosure of sensitive information via path traversal and vulnerabilities in
the authentication component of the system.

Public API

Purpose: We recently released our
Public API v3
in developer preview mode. This API aims to enable third-party developers to
build great mobile and web apps on top of our data. With API v3, developers can
programmatically search for great local businesses, retrieve review excerpts,
obtain business specific data such as address, phone number and photos.

While most of our effort going forward will be focused on the Public API v3,
its predecessor - Public API v2 - will continue to exist. Our API v2 supports
geographically-oriented search, searching for businesses offering a Yelp Deal,
identifying businesses that have been claimed on Yelp, etc.

Under the hood: Python, Pyramid, uWSGI.

What to look for: Focus on authentication bypasses, rate limiting issues
and the ability to obtain large number of full-length reviews. We are also
interested in data injection attacks that may alter the internal state of our
data stores or leak sensitive information to malicious users.

Yelp Support

Purpose: We use the Support Center to provide answers to frequently asked
questions in categories such as searching on Yelp, managing your user profile,
managing your business presence, acquiring and maintaining an Elite status, etc.

Under the hood: Salesforce’s Service Cloud Platform.

What to look for: We are interested in any vulnerability that allows an
unauthorized modification of content.

The security team at Yelp is committed to keeping our users, our data, and our
platform and services safe and sound. If you find a security issue in any of our
systems, let us know immediately. We are ready to
work with you and make every effort to address the identified vulnerability in
a timely manner.